Security professionals are often tasked with the unenviable position of wading through millions of bits of data, the review of thousands of systems, or the evaluation of hundreds of applications. At the end of the day it is their job to provide the ten thousand foot view of an organization and the highest rated findings that put it at risk. Information overload is a common theme in today’s society, and management requires the presentation of this material in a digestible manner of typically one page or less. The ability to provide this service requires what is often referred to as “seeing the forest for the trees.” In other words, don’t get distracted or bogged down by the minutiae of your discoveries at the risk of overlooking the big picture.

When it comes to computer forensics, however, the tables are flipped. When an event turns into an incident and management must answer to a board or the company’s shareholders, the ten thousand foot level is no longer adequate. At this point, every packet that ever crossed your company’s domain becomes suspect, and expectations are set whereby the answers to the questions such as, how did it happen, what damage did it do, where did it come from, when exactly did it occur, and who did it, requires the puzzle to be unravelled and presented in such excruciating detail it would make Melville take up skim-reading.